#!/usr/bin/perl
# save_rule.cgi
# Save, create or delete a rule in a chain
require './firewall-lib.pl';
&ReadParse();
if (&get_ipvx_version() == 6) {
require './firewall6-lib.pl';
}
else {
require './firewall4-lib.pl';
}
&error_setup($text{'save_err'});
@tables = &get_iptables_save();
$table = $tables[$in{'table'}];
&can_edit_table($table->{'name'}) || &error($text{'etable'});
if ($in{'new'}) {
$rule = { 'chain' => $in{'chain'} };
}
else {
$rule = $table->{'rules'}->[$in{'idx'}];
&can_jump($rule) || &error($text{'ejump'});
}
if ($in{'clone'}) {
# Go back to the editing page
&redirect("edit_rule.cgi?version=${ipvx_arg}&new=1&clone=$in{'idx'}&".
"table=".&urlize($in{'table'})."&".
"chain=".&urlize($rule->{'chain'}));
}
&lock_file($ipvx_save);
if ($in{'delete'}) {
# Just delete this rule
splice(@{$table->{'rules'}}, $in{'idx'}, 1);
}
else {
# Validate and store inputs
if ($config{'comment_mod'}) {
$in{'cmt'} =~ s/^\s+//;
$in{'cmt'} =~ s/\s+$//;
if ($in{'cmt'}) {
$rule->{'comment'} = [ "", $in{'cmt'} ];
push(@mods, "comment");
}
else {
delete($rule->{'comment'});
}
}
else {
$rule->{'cmt'} = $in{'cmt'};
delete($rule->{'comment'});
@mods = grep { $_ ne "comment" } @mods;
}
if ($in{'jump'} eq '*') {
$in{'other'} =~ /^\S+$/ || &error($text{'save_echain'});
$rule->{'j'} = [ "", $in{'other'} ];
}
elsif ($in{'jump'}) {
$rule->{'j'} = [ "", $in{'jump'} ];
}
else {
delete($rule->{'j'});
}
&can_jump($rule) || &error($text{'save_ecanjump'});
if (defined($in{'rwithtype'})) {
if ($rule->{'j'}->[1] eq 'REJECT' && !$in{'rwithdef'}) {
$rule->{'reject-with'} = [ "", $in{'rwithtype'} ];
}
else {
delete($rule->{'reject-with'});
}
}
# Parse redirect or masquerade input
if ($table->{'name'} eq 'nat') {
if ($rule->{'j'}->[1] eq 'REDIRECT' && !$in{'rtodef'}) {
$in{'rtofrom'} =~ /^\d+$/ ||
&error($text{'save_ertoports'});
$in{'rtoto'} =~ /^\d*$/ ||
&error($text{'save_ertoports'});
$rule->{'to-ports'} = [ "", $in{'rtoto'} eq '' ?
$in{'rtofrom'} : $in{'rtofrom'}."-".$in{'rtoto'} ];
}
elsif ($rule->{'j'}->[1] eq 'MASQUERADE' && !$in{'mtodef'}) {
$in{'mtofrom'} =~ /^\d+$/ ||
&error($text{'save_emtoports'});
$in{'mtoto'} =~ /^\d*$/ ||
&error($text{'save_emtoports'});
$rule->{'to-ports'} = [ "", $in{'mtoto'} eq '' ?
$in{'mtofrom'} : $in{'mtofrom'}."-".$in{'mtoto'} ];
}
else {
delete($rule->{'to-ports'});
}
}
if ($table->{'name'} eq 'nat' && $rule->{'chain'} ne 'POSTROUTING') {
if ($rule->{'j'}->[1] eq 'DNAT' && !$in{'dnatdef'}) {
!$in{'dipfrom'} || &check_ip6address($in{'dipfrom'}) ||
&error($text{'save_edipfrom'});
!$in{'dipto'} || &check_ip6address($in{'dipto'}) ||
&error($text{'save_edipto'});
local $v = "[".$in{'dipfrom'}."]";
$v .= "-[".$in{'dipto'}."]" if ($in{'dipto'});
if ($in{'dpfrom'} ne '') {
$in{'dpfrom'} =~ /^\d+$/ ||
&error($text{'save_edpfrom'});
$in{'dpto'} =~ /^\d*$/ ||
&error($text{'save_edpto'});
if ($in{'dpto'} eq '') {
$v .= ":".$in{'dpfrom'};
}
else {
$v .= ":".$in{'dpfrom'}."-".$in{'dpto'};
}
}
$rule->{'to-destination'} = [ "", $v ];
}
else {
delete($rule->{'to-destination'});
}
}
if ($table->{'name'} eq 'nat' && $rule->{'chain'} ne 'PREROUTING' &&
$rule->{'chain'} ne 'OUTPUT') {
if ($rule->{'j'}->[1] eq 'SNAT' && !$in{'snatdef'}) {
(!$in{'sipfrom'} && !$in{'sipto'}) ||
&check_ip6address($in{'sipfrom'}) ||
&error($text{'save_esipfrom'});
!$in{'sipto'} || &check_ip6address($in{'sipto'}) ||
&error($text{'save_esipto'});
local $v = $in{'sipfrom'};
$v .= "-".$in{'sipto'} if ($in{'sipto'});
if ($in{'spfrom'} ne '') {
$in{'spfrom'} =~ /^\d+$/ ||
&error($text{'save_espfrom'});
$in{'spto'} =~ /^\d*$/ ||
&error($text{'save_espto'});
if ($in{'spto'} eq '') {
$v .= ":".$in{'spfrom'};
}
else {
$v .= ":".$in{'spfrom'}."-".$in{'spto'};
}
}
$rule->{'to-source'} = [ "", $v ];
}
else {
delete($rule->{'to-source'});
}
}
if (&parse_mode("source", $rule, "s")) {
&check_ipmask($in{'source'}) || &error($text{'save_esource'});
$rule->{'s'}->[1] = $in{'source'};
}
if (&parse_mode("dest", $rule, "d")) {
&check_ipmask($in{'dest'}) || &error($text{'save_edest'});
$rule->{'d'}->[1] = $in{'dest'};
}
if (&parse_mode("in", $rule, "i")) {
$in{'in'} ne '' || $in{'in_other'} =~ /^\S+$/ ||
&error($text{'save_ein'});
$rule->{'i'}->[1] = $in{'in'} eq '' || $in{'in'} eq 'other' ?
$in{'in_other'} : $in{'in'};
}
if (&parse_mode("out", $rule, "o")) {
$in{'out'} ne '' || $in{'out_other'} =~ /^\S+$/ ||
&error($text{'save_eout'});
$rule->{'o'}->[1] = $in{'out'} eq '' || $in{'out'} eq 'other' ?
$in{'out_other'} : $in{'out'};
}
if ($in{'frag'} == 0) { delete($rule->{'f'}); }
elsif ($in{'frag'} == 1) { $rule->{'f'} = [ "" ]; }
else { $rule->{'f'} = [ "!" ]; }
if (&parse_mode("proto", $rule, "p")) {
$in{'proto'} || $in{'proto_other'} =~ /^\d+$/ ||
&error($text{'save_eproto'});
$rule->{'p'}->[1] = $in{'proto'} || $in{'proto_other'};
if (!$rule->{'p'}->[0]) {
$proto = $in{'proto'};
push(@mods, $in{'proto'})
if ($proto eq 'tcp' || $proto eq 'udp' ||
$proto eq "icmp${ipvx_icmp}" && $in{'icmptype_mode'});
}
}
if (&parse_mode("sport", $rule, "sport")) {
$proto eq "tcp" || $proto eq "udp" || $proto eq "sctp" ||
&error($text{'save_etcpudp'});
if ($in{"sport_type"} == 0) {
$in{"sport"} =~ /^\S+$/ ||
&error($text{'save_esport'});
if ($in{"sport"} =~ /,/) {
$rule->{'sports'}->[1] = $in{"sport"};
$rule->{'sports'}->[0] = $rule->{'sport'}->[0];
push(@mods, "multiport");
delete($rule->{'sport'});
}
else {
$rule->{'sport'}->[1] = $in{"sport"};
delete($rule->{'sports'});
}
}
else {
$in{"sport_from"} =~ /^\d*$/ ||
&error($text{'save_esportfrom'});
$in{"sport_to"} =~ /^\d*$/ ||
&error($text{'save_esportto'});
$rule->{'sport'}->[1] = $in{"sport_from"}.":".
$in{"sport_to"};
$rule->{'sport'}->[1] eq ":" &&
&error($text{'save_esportrange'});
delete($rule->{'sports'});
}
}
else {
delete($rule->{'sports'});
}
if (&parse_mode("dport", $rule, "dport")) {
$proto eq "tcp" || $proto eq "udp" || $proto eq "sctp" ||
&error($text{'save_etcpudp'});
if ($in{"dport_type"} == 0) {
$in{"dport"} =~ /^\S+$/ ||
&error($text{'save_edport'});
if ($in{"dport"} =~ /,/) {
$rule->{'dports'}->[1] = $in{"dport"};
$rule->{'dports'}->[0] = $rule->{'dport'}->[0];
push(@mods, "multiport");
delete($rule->{'dport'});
}
else {
$rule->{'dport'}->[1] = $in{"dport"};
delete($rule->{'dports'});
}
}
else {
$in{"dport_from"} =~ /^\d*$/ ||
&error($text{'save_edportfrom'});
$in{"dport_to"} =~ /^\d*$/ ||
&error($text{'save_edportto'});
$rule->{'dport'}->[1] = $in{"dport_from"}.":".
$in{"dport_to"};
$rule->{'dport'}->[1] eq ":" &&
&error($text{'save_edportrange'});
delete($rule->{'dports'});
}
}
else {
delete($rule->{'dports'});
}
if (&parse_mode("ports", $rule, "ports")) {
$proto eq "tcp" || $proto eq "udp" || $proto eq "sctp" ||
&error($text{'save_etcpudp'});
$in{"ports"} =~ /^\S+$/ || &error($text{'save_eports'});
$rule->{'ports'}->[1] = $in{'ports'};
push(@mods, "multiport");
}
if (&parse_mode("tcpflags", $rule, "tcp-flags")) {
$proto eq "tcp" || &error($text{'save_etcp1'});
local $tcp0 = join(",", split(/\0/, $in{"tcpflags0"}));
local $tcp1 = join(",", split(/\0/, $in{"tcpflags1"}));
#$tcp0 && $tcp1 || &error($text{'save_etcpflags'});
$tcp0 || &error($text{'save_etcpflags2'});
$rule->{'tcp-flags'}->[1] = $tcp0;
$rule->{'tcp-flags'}->[2] = $tcp1 || "NONE";
}
if (&parse_mode("tcpoption", $rule, "tcp-option")) {
$proto eq "tcp" || &error($text{'save_etcp2'});
$in{"tcpoption"} =~ /^\d+$/ ||
&error($text{'save_etcpoption'});
$rule->{'tcp-option'}->[1] = $in{"tcpoption"};
}
if (&parse_mode("icmptype", $rule, "icmp${ipvx_icmp}-type")) {
$proto eq "icmp${ipvx_icmp}" || &error($text{'save_eicmp'});
$rule->{"icmp${ipvx_icmp}-type"}->[1] = $in{'icmptype'};
}
if (&parse_mode("macsource", $rule, "mac-source")) {
$in{"macsource"} =~ /^([0-9a-z]{2}:){5}[[0-9a-z]{2}$/i ||
&error($text{'save_emac'});
$rule->{'mac-source'}->[1] = $in{'macsource'};
push(@mods, "mac");
}
if (&parse_mode("limit", $rule, "limit")) {
$in{'limit0'} =~ /^\d+$/ || &error($text{'save_elimit'});
$rule->{'limit'}->[1] = $in{'limit0'}."/".$in{'limit1'};
push(@mods, "limit");
}
if (&parse_mode("limitburst", $rule, "limit-burst")) {
$in{'limitburst'} =~ /^\d+$/ ||
&error($text{'save_elimitburst'});
$rule->{'limit-burst'}->[1] = $in{'limitburst'};
push(@mods, "limit");
}
if ($rule->{'chain'} eq 'OUTPUT') {
if (&parse_mode("uidowner", $rule, "uid-owner")) {
defined(getpwnam($in{"uidowner"})) ||
&error($text{'save_euidowner'});
$rule->{'uid-owner'}->[1] = $in{"uidowner"};
push(@mods, "owner");
}
if (&parse_mode("gidowner", $rule, "gid-owner")) {
defined(getgrnam($in{"gidowner"})) ||
&error($text{'save_egidowner'});
$rule->{'gid-owner'}->[1] = $in{"gidowner"};
push(@mods, "owner");
}
if (&parse_mode("pidowner", $rule, "pid-owner")) {
$in{"pidowner"} =~ /^\d+$/ ||
&error($text{'save_epidowner'});
$rule->{'pid-owner'}->[1] = $in{"pidowner"};
push(@mods, "owner");
}
if (&parse_mode("sidowner", $rule, "sid-owner")) {
$in{"sidowner"} =~ /^\d+$/ ||
&error($text{'save_esidowner'});
$rule->{'sid-owner'}->[1] = $in{"sidowner"};
push(@mods, "owner");
}
}
# Save connection states and TOS
my $sd = &supports_conntrack() ? "ctstate" : "state";
if (&parse_mode($sd, $rule, $sd)) {
@states = split(/\0/, $in{$sd});
@states || &error($text{'save_estates'});
$rule->{$sd}->[1] = join(",", @states);
push(@mods, $sd eq "state" ? "state" : "conntrack");
}
if (&parse_mode("tos", $rule, "tos")) {
$rule->{'tos'}->[1] = $in{'tos'};
push(@mods, "tos");
}
# Parse physical input and output interfaces
if (&parse_mode("physdevin", $rule, "physdev-in")) {
$in{'physdevin'} ne '' || $in{'physdevin_other'} =~ /^\S+$/ ||
&error($text{'save_ephysdevin'});
$rule->{'physdev-in'}->[1] =
$in{'physdevin'} eq '' || $in{'physdevin'} eq 'other' ?
$in{'physdevin_other'} : $in{'physdevin'};
push(@mods, "physdev");
}
if (&parse_mode("physdevout", $rule, "physdev-out")) {
$in{'physdevout'} ne '' || $in{'physdevout_other'} =~ /^\S+$/ ||
&error($text{'save_ephysdevout'});
$rule->{'physdev-out'}->[1] =
$in{'physdevout'} eq '' || $in{'physdevout'} eq 'other' ?
$in{'physdevout_other'} : $in{'physdevout'};
push(@mods, "physdev");
}
# Parse physdev match modes
if (&parse_mode("physdevisin", $rule, "physdev-is-in")) {
push(@mods, "physdev");
}
if (&parse_mode("physdevisout", $rule, "physdev-is-out")) {
push(@mods, "physdev");
}
if (&parse_mode("physdevisbridged", $rule, "physdev-is-bridged")) {
push(@mods, "physdev");
}
# Add custom parameters and modules
$rule->{'args'} = $in{'args'};
push(@mods, split(/\s+/, $in{'mods'}));
# Save the rule
if (@mods) {
$rule->{'m'} = [ map { [ "", $_ ] } &unique(@mods) ];
}
else {
delete($rule->{'m'});
}
delete($rule->{'j'}) if (!$in{'jump'});
if ($in{'new'}) {
if ($in{'before'} ne '') {
splice(@{$table->{'rules'}}, $in{'before'}, 0, $rule);
}
elsif ($in{'after'} ne '') {
splice(@{$table->{'rules'}}, $in{'after'}+1, 0, $rule);
}
else {
push(@{$table->{'rules'}}, $rule);
}
}
}
# Write out the new save file
&run_before_command();
&save_table($table);
&run_after_command();
©_to_cluster();
&unlock_file($ipvx_save);
&webmin_log($in{'delete'} ? "delete" : $in{'new'} ? "create" : "modify",
"rule", undef, { 'chain' => $rule->{'chain'},
'table' => $table->{'name'} });
&redirect("index.cgi?version=${ipvx_arg}&table=$in{'table'}");
# parse_mode(name, &rule, option)
sub parse_mode
{
if ($in{"$_[0]_mode"} == 0) {
delete($_[1]->{$_[2]});
return 0;
}
elsif ($in{"$_[0]_mode"} == 1) {
$_[1]->{$_[2]} = [ "" ];
return 1;
}
else {
$_[1]->{$_[2]} = [ "!" ];
return 1;
}
}
| Name | Type | Size | Permission | Actions |
|---|---|---|---|---|
| help | Folder | 0755 |
|
|
| images | Folder | 0755 |
|
|
| lang | Folder | 0755 |
|
|
| acl_security.pl | File | 1.02 KB | 0755 |
|
| apply.cgi | File | 512 B | 0755 |
|
| backup_config.pl | File | 649 B | 0755 |
|
| bootup.cgi | File | 600 B | 0755 |
|
| cgi_args.pl | File | 430 B | 0755 |
|
| cluster.cgi | File | 2.08 KB | 0755 |
|
| cluster_add.cgi | File | 2.19 KB | 0755 |
|
| cluster_delete.cgi | File | 651 B | 0755 |
|
| coherent-linux-lib.pl | File | 1.54 KB | 0755 |
|
| config | File | 83 B | 0644 |
|
| config.info | File | 1.23 KB | 0644 |
|
| config.info.ca | File | 1.5 KB | 0644 |
|
| config.info.cs | File | 982 B | 0644 |
|
| config.info.de | File | 1.42 KB | 0644 |
|
| config.info.fr | File | 1.63 KB | 0644 |
|
| config.info.ja | File | 421 B | 0644 |
|
| config.info.nl | File | 976 B | 0644 |
|
| config.info.no | File | 968 B | 0644 |
|
| config.info.pl | File | 1012 B | 0644 |
|
| config.info.pt_BR | File | 983 B | 0644 |
|
| config.info.ru | File | 1.31 KB | 0644 |
|
| config.info.sk | File | 989 B | 0644 |
|
| config.info.tr | File | 827 B | 0644 |
|
| convert.cgi | File | 756 B | 0755 |
|
| debian-linux-lib.pl | File | 4.69 KB | 0755 |
|
| defaultacl | File | 100 B | 0644 |
|
| edit_rule.cgi | File | 14.88 KB | 0755 |
|
| firewall-lib.pl | File | 17.32 KB | 0755 |
|
| firewall4-lib.pl | File | 1.82 KB | 0755 |
|
| firewall6-lib.pl | File | 1.76 KB | 0755 |
|
| gentoo-linux-lib.pl | File | 722 B | 0755 |
|
| index.cgi | File | 16.42 KB | 0755 |
|
| install_check.pl | File | 841 B | 0755 |
|
| log_parser.pl | File | 835 B | 0755 |
|
| mandrake-linux-lib.pl | File | 1.69 KB | 0755 |
|
| module.info | File | 238 B | 0644 |
|
| module.info.af | File | 0 B | 0644 |
|
| module.info.af.auto | File | 182 B | 0644 |
|
| module.info.ar | File | 0 B | 0644 |
|
| module.info.ar.auto | File | 254 B | 0644 |
|
| module.info.be | File | 0 B | 0644 |
|
| module.info.be.auto | File | 278 B | 0644 |
|
| module.info.bg | File | 0 B | 0644 |
|
| module.info.bg.auto | File | 299 B | 0644 |
|
| module.info.ca | File | 155 B | 0644 |
|
| module.info.ca.auto | File | 18 B | 0644 |
|
| module.info.cs | File | 0 B | 0644 |
|
| module.info.cs.auto | File | 194 B | 0644 |
|
| module.info.da | File | 0 B | 0644 |
|
| module.info.da.auto | File | 183 B | 0644 |
|
| module.info.de | File | 161 B | 0644 |
|
| module.info.de.auto | File | 18 B | 0644 |
|
| module.info.el | File | 0 B | 0644 |
|
| module.info.el.auto | File | 346 B | 0644 |
|
| module.info.es | File | 0 B | 0644 |
|
| module.info.es.auto | File | 185 B | 0644 |
|
| module.info.eu | File | 0 B | 0644 |
|
| module.info.eu.auto | File | 167 B | 0644 |
|
| module.info.fa | File | 0 B | 0644 |
|
| module.info.fa.auto | File | 268 B | 0644 |
|
| module.info.fi | File | 0 B | 0644 |
|
| module.info.fi.auto | File | 186 B | 0644 |
|
| module.info.fr | File | 0 B | 0644 |
|
| module.info.fr.auto | File | 180 B | 0644 |
|
| module.info.he | File | 0 B | 0644 |
|
| module.info.he.auto | File | 251 B | 0644 |
|
| module.info.hr | File | 0 B | 0644 |
|
| module.info.hr.auto | File | 173 B | 0644 |
|
| module.info.hu | File | 0 B | 0644 |
|
| module.info.hu.auto | File | 201 B | 0644 |
|
| module.info.it | File | 0 B | 0644 |
|
| module.info.it.auto | File | 174 B | 0644 |
|
| module.info.ja | File | 0 B | 0644 |
|
| module.info.ja.auto | File | 263 B | 0644 |
|
| module.info.ko | File | 0 B | 0644 |
|
| module.info.ko.auto | File | 206 B | 0644 |
|
| module.info.lt | File | 0 B | 0644 |
|
| module.info.lt.auto | File | 209 B | 0644 |
|
| module.info.lv | File | 0 B | 0644 |
|
| module.info.lv.auto | File | 180 B | 0644 |
|
| module.info.ms | File | 0 B | 0644 |
|
| module.info.ms.auto | File | 176 B | 0644 |
|
| module.info.mt | File | 0 B | 0644 |
|
| module.info.mt.auto | File | 192 B | 0644 |
|
| module.info.nl | File | 0 B | 0644 |
|
| module.info.nl.auto | File | 186 B | 0644 |
|
| module.info.no | File | 0 B | 0644 |
|
| module.info.no.auto | File | 176 B | 0644 |
|
| module.info.pl | File | 0 B | 0644 |
|
| module.info.pl.auto | File | 197 B | 0644 |
|
| module.info.pt | File | 0 B | 0644 |
|
| module.info.pt.auto | File | 172 B | 0644 |
|
| module.info.pt_BR | File | 0 B | 0644 |
|
| module.info.pt_BR.auto | File | 181 B | 0644 |
|
| module.info.ro | File | 0 B | 0644 |
|
| module.info.ro.auto | File | 186 B | 0644 |
|
| module.info.ru | File | 0 B | 0644 |
|
| module.info.ru.auto | File | 250 B | 0644 |
|
| module.info.sk | File | 0 B | 0644 |
|
| module.info.sk.auto | File | 203 B | 0644 |
|
| module.info.sl | File | 0 B | 0644 |
|
| module.info.sl.auto | File | 182 B | 0644 |
|
| module.info.sv | File | 0 B | 0644 |
|
| module.info.sv.auto | File | 177 B | 0644 |
|
| module.info.th | File | 0 B | 0644 |
|
| module.info.th.auto | File | 275 B | 0644 |
|
| module.info.tr | File | 0 B | 0644 |
|
| module.info.tr.auto | File | 222 B | 0644 |
|
| module.info.uk | File | 0 B | 0644 |
|
| module.info.uk.auto | File | 291 B | 0644 |
|
| module.info.ur | File | 0 B | 0644 |
|
| module.info.ur.auto | File | 306 B | 0644 |
|
| module.info.vi | File | 0 B | 0644 |
|
| module.info.vi.auto | File | 205 B | 0644 |
|
| module.info.zh | File | 0 B | 0644 |
|
| module.info.zh.auto | File | 146 B | 0644 |
|
| module.info.zh_TW | File | 0 B | 0644 |
|
| module.info.zh_TW.auto | File | 155 B | 0644 |
|
| move.cgi | File | 1.29 KB | 0755 |
|
| newchain.cgi | File | 898 B | 0755 |
|
| open-ports.pl | File | 3.4 KB | 0755 |
|
| prefs.info | File | 55 B | 0644 |
|
| redhat-linux-lib.pl | File | 2.14 KB | 0755 |
|
| save_policy.cgi | File | 7.15 KB | 0755 |
|
| save_rule.cgi | File | 12.4 KB | 0755 |
|
| save_rule6.cgi | File | 12.05 KB | 0755 |
|
| setup.cgi | File | 9.37 KB | 0755 |
|
| setup6.cgi | File | 8.12 KB | 0755 |
|
| trustix-linux-lib.pl | File | 2.14 KB | 0755 |
|
| unapply.cgi | File | 609 B | 0755 |
|